INFORMATION SECURITY PROGRAM (ISP)

[Official Company Name]

 TABLE OF CONTENTS

NOTICE 13
REFERENCED FRAMEWORKS & SUPPORTING PRACTICES 13
INFORMATION SECURITY PROGRAM (ISP) OVERVIEW 14
INTRODUCTION 14
PURPOSE 14
SCOPE & APPLICABILITY 15
POLICY OVERVIEW 15
VIOLATIONS 15
EXCEPTIONS 15
UPDATES 15
KEY TERMINOLOGY 16
INFORMATION SECURITY PROGRAM STRUCTURE 18
MANAGEMENT DIRECTION FOR INFORMATION SECURITY 18
POLICIES, STANDARDS, PROCEDURES & GUIDELINES STRUCTURE 18
SECURITY & PRIVACY GOVERNANCE (GOV) 19
GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM 19
GOV-02: PUBLISHING SECURITY & PRIVACY POLICIES 19
GOV-03: PERIODIC REVIEW & UPDATE OF CYBERSECURITY DOCUMENTATION 19
GOV-04: ASSIGNED SECURITY RESPONSIBILITIES 20
GOV-05: MEASURES OF PERFORMANCE 20
GOV-05(A): MEASURES OF PERFORMANCE | KEY PERFORMANCE INDICATORS (KPIS) 20
GOV-05(B): MEASURES OF PERFORMANCE | KEY RISK INDICATORS (KRIS) 21
GOV-06: CONTACTS WITH AUTHORITIES 21
GOV-07: CONTACTS WITH SECURITY GROUPS & ASSOCIATIONS 21
ASSET MANAGEMENT (AST) 22
AST-01: ASSET GOVERNANCE 22
AST-02: ASSET INVENTORIES 22
AST-02(A): ASSET INVENTORIES | UPDATES DURING INSTALLATIONS / REMOVALS 23
AST-02(C): ASSET INVENTORIES | COMPONENT DUPLICATION AVOIDANCE 23
AST-02(G): ASSET INVENTORIES | SOFTWARE LICENSING RESTRICTIONS 23
AST-03: ASSIGNING OWNERSHIP OF ASSETS 23
AST-04: NETWORK DIAGRAMS & DATA FLOW DIAGRAMS (DFDS) 24
AST-05: SECURITY OF ASSETS & MEDIA 24
AST-06: UNATTENDED END-USER EQUIPMENT 24
AST-06(A): UNATTENDED END-USER EQUIPMENT | LAPTOP STORAGE IN AUTOMOBILES 25
AST-07: KIOSKS & POINT OF SALE (POS) DEVICES 25
AST-09: SECURE DISPOSAL OR RE-USE OF EQUIPMENT 26
AST-10: RETURN OF ASSETS 26
AST-11: REMOVAL OF ASSETS 26
AST-12: USE OF PERSONAL DEVICES 27
AST-13: USE OF THIRD-PARTY DEVICES 27
AST-14: USAGE PARAMETERS 27
AST-15: TAMPER PROTECTION 28
AST-15(A): TAMPER RESISTANCE & DETECTION | INSPECTION OF SYSTEMS, COMPONENTS & DEVICES 28
BUSINESS CONTINUITY & DISASTER RECOVERY (BCD) 28
BCD-01: CONTINGENCY PLAN 28
BCD-01(A): CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS 29
BCD-01(B): CONTINGENCY PLAN | COORDINATE WITH EXTERNAL SERVICE PROVIDERS 29
BCD-04: CONTINGENCY PLAN TESTING & EXERCISES 30
BCD-04(A): CONTINGENCY PLAN TESTING | COORDINATED TESTING WITH RELATED PLANS 30
BCD-05: CONTINGENCY PLAN ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 30
BCD-06: CONTINGENCY PLAN UPDATE 31
BCD-08: ALTERNATE STORAGE SITE 31

Base + NIST 800-171 Security Program - Version 2018.5 Page 2 of 241

 BCD-08(A): ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE 31
BCD-08(B): ALTERNATE STORAGE SITE | ACCESSIBILITY 31
BCD-09: ALTERNATE PROCESSING SITE 32
BCD-09(A): ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE 32
BCD-09(B): ALTERNATE PROCESSING SITE | ACCESSIBILITY 32
BCD-09(C): ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE 33
BCD-11: DATA BACKUPS 33
BCD-11(A): DATA BACKUPS | TESTING FOR RELIABILITY & INTEGRITY 35
BCD-11(B): DATA BACKUPS | SEPARATE STORAGE FOR CRITICAL INFORMATION 35
BCD-11(C): DATA BACKUPS | INFORMATION SYSTEM IMAGING 35
BCD-11(D): DATA BACKUPS | CRYPTOGRAPHIC PROTECTION 35
BCD-12: INFORMATION SYSTEM RECOVERY & RECONSTITUTION 35
BCD-12(A): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | TRANSACTION RECOVERY 36
BCD-12(B): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | FAILOVER CAPABILITY 36
BCD-12(C): INFORMATION SYSTEM RECOVERY & RECONSTITUTION | ELECTRONIC DISCOVERY (EDISCOVERY) 36
CAPACITY & PERFORMANCE PLANNING (CAP) 36
CAP-01: CAPACITY & PERFORMANCE MANAGEMENT 37
CHANGE MANAGEMENT (CHG) 37
CHG-01: CHANGE MANAGEMENT PROGRAM 37
CHG-02: CONFIGURATION CHANGE CONTROL 37
CHG-02(B): CONFIGURATION CHANGE CONTROL | TEST, VALIDATE & DOCUMENT CHANGES 38
CHG-02(C): CONFIGURATION CHANGE CONTROL | SECURITY REPRESENTATIVE FOR CHANGE 38
CHG-03: SECURITY IMPACT ANALYSIS FOR CHANGES 39
CHG-04: ACCESS RESTRICTION FOR CHANGE 39
CHG-04(A): ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING 39
CHG-04(B): ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS 39
CHG-04(C): ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION FOR CHANGE 40
CHG-04(D): ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES (INCOMPATIBLE ROLES) 40
CHG-04(E): ACCESS RESTRICTIONS FOR CHANGE | LIBRARY PRIVILEGES 40
CHG-05: STAKEHOLDER NOTIFICATION OF CHANGES 40
CLOUD SECURITY (CLD) 41
CLD-01: CLOUD SERVICES 41
COMPLIANCE (CPL) 41
CPL-01: STATUTORY, REGULATORY & CONTRACTUAL COMPLIANCE 42
CPL-02: SECURITY CONTROLS OVERSIGHT 42
CPL-03: SECURITY ASSESSMENTS 43
CPL-03(A): SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS 43
CPL-03(B): SECURITY ASSESSMENTS | FUNCTIONAL REVIEW OF SECURITY CONTROLS 43
CPL-04: AUDIT ACTIVITIES 44
CONFIGURATION MANAGEMENT (CFG) 45
CFG-01: CONFIGURATION MANAGEMENT PROGRAM 45
CFG-02: SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS 45
CFG-02(A): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | REVIEWS & UPDATES 46
CFG-02(D): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | DEVELOPMENT & TEST ENVIRONMENTS 47
CFG-02(E): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | CONFIGURE SYSTEMS, COMPONENTS OR DEVICES
FOR HIGH-RISK AREAS 47
CFG-02(F): SYSTEM HARDENING THROUGH BASELINE CONFIGURATIONS | NETWORK DEVICE CONFIGURATION FILE
SYNCHRONIZATION 47
CFG-03: LEAST FUNCTIONALITY 48
CFG-03(A): LEAST FUNCTIONALITY | PERIODIC REVIEW 48
CFG-03(B): LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION 48
CFG-03(C): LEAST FUNCTIONALITY | UNAUTHORIZED OR AUTHORIZED SOFTWARE (BLACKLISTING OR WHITELISTING) 49
CFG-03(D): LEAST FUNCTIONALITY | SPLIT TUNNELING 49
CFG-05: USER-INSTALLED SOFTWARE 49
CFG-05(A): USER-INSTALLED SOFTWARE | UNAUTHORIZED INSTALLATION ALERTS 49
CFG-05(B): USER-INSTALLED SOFTWARE | PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS 50

Base + NIST 800-171 Security Program - Version 2018.5 Page 3 of 241

CONTINUOUS MONITORING (MON) 51
MON-01: CONTINUOUS MONITORING 51
MON-01(B): CONTINUOUS MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS 52
MON-01(C): CONTINUOUS MONITORING | INBOUND & OUTBOUND COMMUNICATIONS TRAFFIC 52
MON-01(D): CONTINUOUS MONITORING | SYSTEM GENERATED ALERTS 52
MON-01(E): CONTINUOUS MONITORING | WIRELESS INTRUSION DETECTION SYSTEM (WIDS) 53
MON-01(G): CONTINUOUS MONITORING | FILE INTEGRITY MONITORING (FIM) 53
MON-01(H): CONTINUOUS MONITORING | REVIEWS & UPDATES 53
MON-02: CENTRALIZED EVENT LOG COLLECTION 53
MON-02(A): CENTRALIZED SECURITY EVENT LOG COLLECTION | CORRELATE MONITORING INFORMATION 54
MON-03: CONTENT OF AUDIT RECORDS 54
MON-03(A): CONTENT OF AUDIT RECORDS | SENSITIVE AUDIT INFORMATION 55
MON-03(B): CONTENT OF AUDIT RECORDS | AUDIT TRAILS 55
MON-03(C): CONTENT OF AUDIT RECORDS | PRIVILEGED FUNCTIONS LOGGING 55
MON-05: RESPONSE TO AUDIT PROCESSING FAILURES 56
MON-05(A): RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS 56
MON-06: MONITORING REPORTING 56
MON-06(A): MONITORING REPORTING | QUERY PARAMETER AUDITS OF PERSONAL INFORMATION (PI) 56
MON-07: TIME STAMPS 56
MON-07(A): TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE 57
MON-08: PROTECTION OF AUDIT INFORMATION 57
MON-08(B): PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED USERS 58
MON-10: AUDIT RECORD RETENTION 58
MON-16 ANOMALOUS BEHAVIOR 58
MON-16(A): ANOMALOUS BEHAVIOR | INSIDER THREATS 59
MON-16(B): ANOMALOUS BEHAVIOR | THIRD-PARTY THREATS 59
MON-16(C): ANOMALOUS BEHAVIOR | UNAUTHORIZED ACTIVITIES 59
CRYPTOGRAPHIC PROTECTIONS (CRY) 60
CRY-01: USE OF CRYPTOGRAPHIC CONTROLS 60
CRY-01(A): USE OF CRYPTOGRAPHIC CONTROLS | ALTERNATE PHYSICAL PROTECTION 60
CRY-01(B): USE OF CRYPTOGRAPHIC CONTROLS | EXPORT-CONTROLLED TECHNOLOGY 61
CRY-02: CRYPTOGRAPHIC MODULE AUTHENTICATION 61
CRY-03: TRANSMISSION CONFIDENTIALITY 61
CRY-04: TRANSMISSION INTEGRITY 62
CRY-05: ENCRYPTING DATA AT REST 62
CRY-05(A): ENCRYPTING DATA AT REST | STORAGE MEDIA 63
CRY-06: NON-CONSOLE ADMINISTRATIVE ACCESS 63
CRY-07: WIRELESS ACCESS AUTHENTICATION & ENCRYPTION 63
CRY-08: PUBLIC KEY INFRASTRUCTURE (PKI) 63
CRY-09: CRYPTOGRAPHIC KEY MANAGEMENT 64
CRY-09(C): CRYPTOGRAPHIC KEY MANAGEMENT | CRYPTOGRAPHIC KEY LOSS OR CHANGE 65
CRY-09(D): CRYPTOGRAPHIC KEY MANAGEMENT | CONTROL & DISTRIBUTION OF CRYPTOGRAPHIC KEYS 65
DATA CLASSIFICATION & HANDLING (DCH) 65
DCH-01: DATA PROTECTION 66
DCH-01(A): DATA PROTECTION | DATA STEWARDSHIP 66
DCH-02: DATA & ASSET CLASSIFICATION 67
DCH-03: MEDIA ACCESS 67
DCH-03(B): MEDIA ACCESS | MASKING DISPLAYED DATA 67
DCH-04: MEDIA MARKING 67
DCH-04(A): MEDIA MARKING | AUTOMATED MARKING 68
DCH-06: MEDIA STORAGE 68
DCH-06(A): MEDIA STORAGE | PHYSICALLY SECURE ALL MEDIA 68
DCH-06(B): MEDIA STORAGE | SENSITIVE DATA INVENTORIES 69
DCH-06(D): MEDIA STORAGE | MAKING SENSITIVE DATA UNREADABLE IN STORAGE 69
DCH-06(E): MEDIA STORAGE | STORING AUTHENTICATION DATA 69
DCH-07: MEDIA TRANSPORTATION 70
DCH-07(A): MEDIA TRANSPORTATION | CUSTODIANS 70

Base + NIST 800-171 Security Program - Version 2018.5 Page 4 of 241

 DCH-08: PHYSICAL MEDIAL DISPOSAL 71
DCH-09: DIGITAL MEDIA SANITIZATION 71
DCH-09(A): MEDIA SANITIZATION | MEDIA SANITIZATION DOCUMENTATION 71
DCH-09(C): MEDIA SANITIZATION | DESTRUCTION OF PERSONAL INFORMATION (PI) 71
DCH-10: MEDIA USE 72
DCH-10(A): MEDIA USE | LIMITATIONS ON USE 72
DCH-12: REMOVABLE MEDIA SECURITY 72
DCH-13: USE OF EXTERNAL INFORMATION SYSTEMS 72
DCH-13(A): USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS OF AUTHORIZED USE 73
DCH-13(B): USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES 73
DCH-14: INFORMATION SHARING 73
DCH-15: PUBLICLY ACCESSIBLE CONTENT 74
DCH-18: MEDIA & DATA RETENTION 74
DCH-18(A): MEDIA & DATA RETENTION | LIMIT PERSONAL INFORMATION (PI) ELEMENTS 75
DCH-18(B): MEDIA & DATA RETENTION | LIMIT PERSONAL INFORMATION (PI) IN TESTING, TRAINING & RESEARCH 76
DCH-24: INFORMATION LOCATION 76
DCH-24(A): INFORMATION LOCATION | AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION 76
DCH-25: TRANSFER OF PERSONAL INFORMATION 76
EMBEDDED TECHNOLOGY (EMB) 78
EMB-01: EMBEDDED TECHNOLOGY SECURITY PROGRAM 78
ENDPOINT SECURITY (END) 78
END-01: ENDPOINT SECURITY 78
END-02: ENDPOINT PROTECTION MEASURES 79
END-03: PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS 79
END-03(B): PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS | ACCESS RESTRICTION FOR CHANGE 79
END-04: MALICIOUS CODE PROTECTION (ANTI-MALWARE) 80
END-04(A): MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES 80
END-04(B): MALICIOUS CODE PROTECTION | DOCUMENTED PROTECTION MEASURES 81
END-04(F): MALICIOUS CODE PROTECTION | EVOLVING MALWARE THREATS 81
END-04(G): MALICIOUS CODE PROTECTION | ALWAYS ON PROTECTION 81
END-05: SOFTWARE FIREWALL 81
END-06: FILE INTEGRITY MONITORING (FIM) 82
END-06(A): FILE INTEGRITY MONITORING | INTEGRITY CHECKS 82
END-06(B): FILE INTEGRITY MONITORING | INTEGRATION OF DETECTION & RESPONSE 83
END-10: MOBILE CODE 83
END-13: SENSOR CAPABILITY 84
END-13(A): SENSOR CAPABILITY | AUTHORIZED USE 84
END-13(B): SENSOR CAPABILITY | NOTICE OF COLLECTION 84
END-13(C): SENSOR CAPABILITY | COLLECTION MINIMIZATION 84
END-14: COLLABORATIVE COMPUTING DEVICES 85
END-16: SECURITY FUNCTION ISOLATION 85
END-16(A): SECURITY FUNCTION ISOLATION | HOST-BASED SECURITY FUNCTION ISOLATION 86
HUMAN RESOURCES SECURITY (HRS) 87
HRS-01: HUMAN RESOURCES SECURITY MANAGEMENT 87
HRS-02: POSITION CATEGORIZATION 87
HRS-02(A): POSITION CATEGORIZATION | USERS WITH ELEVATED PRIVILEGES 87
HRS-03: ROLES & RESPONSIBILITIES 88
HRS-03(A): ROLES & RESPONSIBILITIES | USER AWARENESS 88
HRS-03(B): ROLES & RESPONSIBILITIES | COMPETENCY REQUIREMENTS FOR SECURITY-RELATED POSITIONS 88
HRS-04: PERSONNEL SCREENING 88
HRS-04(A): PERSONNEL SCREENING | ROLES WITH SPECIAL PROTECTION MEASURES 89
HRS-04(B): PERSONNEL SCREENING | FORMAL INDOCTRINATION 89
HRS-05: TERMS OF EMPLOYMENT 89
HRS-05(A): TERMS OF EMPLOYMENT | RULES OF BEHAVIOR 90
HRS-05(B): TERMS OF EMPLOYMENT | SOCIAL MEDIA & SOCIAL NETWORKING RESTRICTIONS 90
HRS-05(D): TERMS OF EMPLOYMENT | USE OF CRITICAL TECHNOLOGIES 90
HRS-06: ACCESS AGREEMENTS 91

Base + NIST 800-171 Security Program - Version 2018.5 Page 5 of 241

 HRS-06(A): ACCESS AGREEMENTS | CONFIDENTIALITY AGREEMENTS 91
HRS-07: PERSONNEL SANCTIONS 91
HRS-07(A): PERSONNEL SANCTIONS | WORKPLACE INVESTIGATIONS 92
HRS-08: PERSONNEL TRANSFER 92
HRS-09: PERSONNEL TERMINATION 93
HRS-09(A): PERSONNEL TERMINATION | ASSET COLLECTION 93
HRS-09(B): PERSONNEL TERMINATION | HIGH-RISK TERMINATIONS 93
HRS-09(C): PERSONNEL TERMINATION | POST-EMPLOYMENT REQUIREMENTS 94
HRS-10: THIRD-PARTY PERSONNEL SECURITY 94
HRS-11: SEPARATION OF DUTIES 94
HRS-12: INCOMPATIBLE ROLES 95
HRS-12(A): INCOMPATIBLE ROLES | TWO-PERSON RULE 95
IDENTIFICATION & AUTHENTICATION (IAC) 96
IAC-01: IDENTITY & ACCESS MANAGEMENT (IAM) 96
IAC-02: IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS 96
IAC-02(B): IDENTIFICATION & AUTHENTICATION FOR ORGANIZATIONAL USERS | NETWORK ACCESS TO PRIVILEGED ACCOUNTS
- REPLAY RESISTANT 97
IAC-04: IDENTIFICATION & AUTHENTICATION FOR DEVICES 97
IAC-06: MULTIFACTOR AUTHENTICATION 97
IAC-06(A): MULTI-FACTOR AUTHENTICATION (MFA) | NETWORK ACCESS TO PRIVILEGED ACCOUNTS 97
IAC-06(B): MULTI-FACTOR AUTHENTICATION (MFA) | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS 98
IAC-06(C): MULTI-FACTOR AUTHENTICATION (MFA) | LOCAL ACCESS TO PRIVILEGED ACCOUNTS 98
IAC-07: USER PROVISIONING & DE-PROVISIONING 98
IAC-07(A): USER PROVISIONING & DE-PROVISIONING | CHANGE OF ROLES & DUTIES 98
IAC-07(B): USER PROVISIONING & DE-PROVISIONING | TERMINATION OF EMPLOYMENT 99
IAC-08: ROLE-BASED ACCESS CONTROL (RBAC) 99
IAC-09: IDENTIFIER MANAGEMENT (USER NAMES) 99
IAC-09(A): IDENTIFIER MANAGEMENT | USER IDENTITY (ID) MANAGEMENT 100
IAC-09(F): IDENTIFIER MANAGEMENT | PAIRWISE PSEUDONYMOUS IDENTIFIERS 100
IAC-10: AUTHENTICATOR MANAGEMENT (PASSWORDS) 100
IAC-10(A): AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION 101
IAC-10(E): AUTHENTICATOR MANAGEMENT | PROTECTION OF AUTHENTICATORS 103
IAC-10(H): AUTHENTICATOR MANAGEMENT | VENDOR-SUPPLIED DEFAULTS 103
IAC-11: AUTHENTICATOR FEEDBACK 103
IAC-12: CRYPTOGRAPHIC MODULE AUTHENTICATION 104
IAC-14: RE-AUTHENTICATION 104
IAC-15: ACCOUNT MANAGEMENT 104
IAC-15(A): ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT 105
IAC-15(B): ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS 106
IAC-15(C): ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS 106
IAC-15(D): ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS 106
IAC-15(E): ACCOUNT MANAGEMENT | RESTRICTIONS ON SHARED GROUPS / ACCOUNTS 106
IAC-15(F): ACCOUNT MANAGEMENT | ACCOUNT DISABLING FOR HIGH RISK INDIVIDUALS 106
IAC-15(G): ACCOUNT MANAGEMENT | SYSTEM ACCOUNTS 106
IAC-16: PRIVILEGED ACCOUNT MANAGEMENT (PAM) 107
IAC-16(A): PRIVILEGED ACCOUNT MANAGEMENT (PAM) | PRIVILEGED ACCOUNT INVENTORIES 107
IAC-18: USER RESPONSIBILITIES FOR ACCOUNT MANAGEMENT 107
IAC-19: CREDENTIAL SHARING 108
IAC-20: ACCESS ENFORCEMENT 108
IAC-20(A): ACCESS ENFORCEMENT | ACCESS TO SENSITIVE DATA 108
IAC-20(B): ACCESS ENFORCEMENT | DATABASE ACCESS 109
IAC-20(C): ACCESS ENFORCEMENT | USE OF PRIVILEGED UTILITY PROGRAMS 109
IAC-21: LEAST PRIVILEGE 109
IAC-21(A): LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS 110
IAC-21(B): LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NON-SECURITY FUNCTIONS 110
IAC-21(C): LEAST PRIVILEGE | PRIVILEGED ACCOUNTS 110
IAC-21(D): LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS 111
IAC-21(E): LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS 111

Base + NIST 800-171 Security Program - Version 2018.5 Page 6 of 241

 IAC-22: ACCOUNT LOCKOUT 111
IAC-24: SESSION LOCK 111
IAC-24(A): SESSION LOCK | PATTERN-HIDING DISPLAYS 112
IAC-25: SESSION TERMINATION 112
INCIDENT RESPONSE (IRO) 112
IRO-01: INCIDENTS RESPONSE OPERATIONS 112
IRO-02: INCIDENT HANDLING 113
IRO-02(A): INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES 113
IRO-02(B): INCIDENT HANDLING | IDENTITY THEFT PROTECTION PROGRAM (ITPP) 113
IRO-03: INDICATORS OF COMPROMISE (IOC) 114
IRO-04: INCIDENT RESPONSE PLAN (IRP) 114
IRO-04(A): INCIDENT RESPONSE PLAN (IRP) | PERSONAL INFORMATION (PI) PROCESSES 115
IRO-04(B): INCIDENT RESPONSE PLAN (IRP) | IRP UPDATE 116
IRO-05: INCIDENT RESPONSE TRAINING 116
IRO-06: INCIDENT RESPONSE TESTING 116
IRO-06(A): INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS 117
IRO-07: INTEGRATED SECURITY INCIDENT RESPONSE TEAM (ISIRT) 117
IRO-08: CHAIN OF CUSTODY & FORENSICS 117
IRO-09: INCIDENT MONITORING & TRACKING 118
IRO-09(A): INCIDENT MONITORING & TRACKING | AUTOMATED TRACKING, DATA COLLECTION & ANALYSIS 118
IRO-10: INCIDENT REPORTING 118
IRO-10(A): INCIDENT REPORTING | AUTOMATED REPORTING 119
IRO-10(B): INCIDENT REPORTING | CYBER INCIDENT REPORTING FOR COVERED DEFENSE INFORMATION (CDI) 119
IRO-10(C): INCIDENT REPORTING | VULNERABILITIES RELATED TO INCIDENTS 119
IRO-10(D): INCIDENT REPORTING | SUPPLY CHAIN COORDINATION 119
IRO-11: INCIDENT REPORTING ASSISTANCE 120
IRO-11(B): INCIDENT REPORTING ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS 120
IRO-13: ROOT CAUSE ANALYSIS (RCA) & LESSONS LEARNED 121
IRO-14: REGULATORY & LAW ENFORCEMENT CONTACTS 121
INFORMATION ASSURANCE (IAO) 121
IAO-01: INFORMATION ASSURANCE (IA) OPERATIONS 121
IAO-02: SECURITY ASSESSMENTS 122
IAO-02(A): SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS 122
IAO-03: SYSTEM SECURITY PLANS (SSP) 122
IAO-03(A): SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES 123
IAO-04: THREAT ANALYSIS & FLAW REMEDIATION DURING DEVELOPMENT 123
IAO-05: PLAN OF ACTION & MILESTONES (POA&M) 124
IAO-07: SECURITY AUTHORIZATION 124
MAINTENANCE (MNT) 125
MNT-01: MAINTENANCE OPERATIONS 125
MNT-02: CONTROLLED MAINTENANCE 125
MNT-04: MAINTENANCE TOOLS 126
MNT-04(A): MAINTENANCE TOOLS | INSPECT TOOLS 126
MNT-04(B): MAINTENANCE TOOLS | INSPECT MEDIA 126
MNT-05: NON-LOCAL MAINTENANCE 126
MNT-05(B): NON-LOCAL MAINTENANCE | NOTIFICATION OF NON-LOCAL MAINTENANCE 127
MNT-05(C): NON-LOCAL MAINTENANCE | CRYPTOGRAPHIC PROTECTION 127
MNT-06: MAINTENANCE PERSONNEL 127
MNT-06(A): MAINTENANCE PERSONNEL | MAINTENANCE PERSONNEL WITHOUT APPROPRIATE ACCESS 128
MOBILE DEVICE MANAGEMENT (MDM) 129
MDM-02: ACCESS CONTROL FOR MOBILE DEVICES 129
MDM-03: FULL DEVICE & CONTAINER-BASED ENCRYPTION 130
MDM-04: TAMPER PROTECTION & DETECTION 130
MDM-05: REMOTE PURGING 130
NETWORK SECURITY (NET) 131
NET-01: NETWORK SECURITY MANAGEMENT 131

Base + NIST 800-171 Security Program - Version 2018.5 Page 7 of 241

 NET-02: LAYERED DEFENSES 131
NET-02(B): LAYERED DEFENSES | GUEST NETWORKS 132
NET-03: BOUNDARY PROTECTION 132
NET-03(A): BOUNDARY PROTECTION | ACCESS POINTS 133
NET-03(B): BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES 133
NET-03(C): BOUNDARY PROTECTION | INTERNAL NETWORK ADDRESS SPACE 133
NET-04: DATA FLOW ENFORCEMENT – ACCESS CONTROL LISTS (ACLS) 133
NET-04(A): DATA FLOW ENFORCEMENT | DENY TRAFFIC BY DEFAULT & ALLOW TRAFFIC BY EXCEPTION 134
NET-04(F): DATA FLOW ENFORCEMENT | HUMAN REVIEWS 135
NET-05: SYSTEM INTERCONNECTIONS 135
NET-05(A): SYSTEM INTERCONNECTIONS | EXTERNAL SYSTEM CONNECTIONS 135
NET-05(B): SYSTEM INTERCONNECTIONS | INTERNAL SYSTEM CONNECTIONS 136
NET-07: NETWORK DISCONNECT 136
NET-08: NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) 136
NET-08(A): NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) | DMZ NETWORKS 137
NET-08(B): NETWORK INTRUSION DETECTION & PREVENTION SYSTEMS (NIDS / NIPS) | WIRELESS INTRUSION DETECTION /
PREVENTION SYSTEMS (WIDS / WIPS) 137
NET-09: SESSION AUTHENTICITY 137
NET-10 DOMAIN NAME SERVICE (DNS) RESOLUTION 137
NET-10(A): DOMAIN NAME SERVICE (DNS) RESOLUTION | ARCHITECTURE & PROVISIONING FOR NAME / ADDRESS
RESOLUTION SERVICE 138
NET-10(B): DOMAIN NAME SERVICE (DNS) RESOLUTION | SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR
CACHING RESOLVER) 138
NET-12: SAFEGUARDING DATA OVER OPEN NETWORKS 138
NET-12(A): SAFEGUARDING DATE OVER OPEN NETWORKS | WIRELESS LINK PROTECTION 139
NET-12(B): SAFEGUARDING DATE OVER OPEN NETWORKS | END-USER MESSAGING TECHNOLOGIES 139
NET-13: ELECTRONIC MESSAGING 140
NET-14: REMOTE ACCESS 140
NET-14(A): REMOTE ACCESS | AUTOMATED MONITORING & CONTROL 141
NET-14(B): REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION 141
NET-14(C): REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS 141
NET-14(D): REMOTE ACCESS | PRIVILEGED COMMANDS & ACCESS 141
NET-14(E): REMOTE ACCESS | TELECOMMUTING 141
NET-14(F): REMOTE ACCESS | THIRD-PARTY REMOTE ACCESS GOVERNANCE 141
NET-15: WIRELESS NETWORKING 142
NET-15(A): WIRELESS ACCESS | AUTHENTICATION & ENCRYPTION 142
NET-15(E): WIRELESS ACCESS | ROGUE WIRELESS DETECTION 142
NET-16: INTRANETS 143
NET-17: DATA LOSS PREVENTION (DLP) 143
NET-18: CONTENT FILTERING 143
NET-18(A): CONTENT FILTERING | ROUTE TRAFFIC TO PROXY SERVERS 144
PHYSICAL & ENVIRONMENTAL SECURITY (PES) 144
PES-01: PHYSICAL & ENVIRONMENTAL PROTECTIONS 144
PES-02: PHYSICAL ACCESS AUTHORIZATIONS 144
PES-02(A): PHYSICAL ACCESS AUTHORIZATIONS | ROLE-BASED PHYSICAL ACCESS 146
PES-03: PHYSICAL ACCESS CONTROL 146
PES-03(A): PHYSICAL ACCESS CONTROL | CONTROLLED INGRESS & EGRESS POINTS 147
PES-03(C): PHYSICAL ACCESS CONTROL | PHYSICAL ACCESS LOGS 147
PES-04: PHYSICAL SECURITY OF OFFICES, ROOMS & FACILITIES 147
PES-04(A): PHYSICAL SECURITY OF OFFICES, ROOMS & FACILITIES | WORKING IN SECURE AREAS 148
PES-05: MONITORING PHYSICAL ACCESS 148
PES-05(A): MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT 149
PES-06: VISITOR CONTROL 149
PES-06(A): VISITOR CONTROL | DISTINGUISH VISITORS FROM ON-SITE PERSONNEL 149
PES-06(B): VISITOR CONTROL | IDENTIFICATION REQUIREMENT 149
PES-06(C): VISITOR CONTROL | RESTRICT UNESCORTED ACCESS 150
PES-07: SUPPORTING UTILITIES 150
PES-07(A): SUPPORTING UTILITIES | AUTOMATIC VOLTAGE CONTROLS 150

Base + NIST 800-171 Security Program - Version 2018.5 Page 8 of 241

 PES-10: DELIVERY & REMOVAL 150
PES-11: ALTERNATE WORK SITE 151
PES-12: EQUIPMENT SITING & PROTECTION 151
PES-12(A): EQUIPMENT SITING & PROTECTION | ACCESS CONTROL FOR TRANSMISSION MEDIUM 151
PES-12(B): EQUIPMENT SITING & PROTECTION | ACCESS CONTROL FOR OUTPUT DEVICES 152
PES-13: INFORMATION LEAKAGE DUE TO ELECTROMAGNETIC SIGNALS EMANATIONS 152
PRIVACY (PRI) 152
PRI-01: PRIVACY PROGRAM 153
PRI-01(A): PRIVACY PROGRAM | CHIEF PRIVACY OFFICER (CPO) 153
PRI-01(D): PRIVACY PROGRAM | DATA PROTECTION OFFICER (DPO) 153
PRI-02: NOTICE 153
PRI-02(A): NOTICE | PURPOSE SPECIFICATION 154
PRI-02(B): NOTICE | AUTOMATION 154
PRI-03: CHOICE & CONSENT 154
PRI-03(A): CHOICE & CONSENT | ATTRIBUTE MANAGEMENT 155
PRI-03(B): CHOICE & CONSENT | JUST-IN-TIME NOTICE & CONSENT 155
PRI-04: COLLECTION 155
PRI-04(A): COLLECTION | AUTHORITY TO COLLECT 155
PRI-05: USE, RETENTION & DISPOSAL 155
PRI-05(A): USE, RETENTION & DISPOSAL | INTERNAL USE 156
PRI-05(B): USE, RETENTION & DISPOSAL | DATA INTEGRITY 156
PRI-05(C): USE, RETENTION & DISPOSAL | DATA MASKING 156
PRI-05(D): USE, RETENTION & DISPOSAL | USAGE RESTRICTIONS OF PERSONAL INFORMATION (PI) 156
PRI-06: RIGHT OF ACCESS 157
PRI-06(A): RIGHT OF ACCESS | REDRESS 157
PRI-06(B): RIGHT OF ACCESS | NOTICE OF CORRECTION OF AMENDMENT 157
PRI-06(C): RIGHT OF ACCESS | APPEAL 157
PRI-06(D): RIGHT OF ACCESS | USER FEEDBACK MANAGEMENT 158
PRI-06(E): RIGHT OF ACCESS | RIGHT TO ERASURE 158
PRI-06(F): RIGHT OF ACCESS | DATA PORTABILITY 158
PRI-07: INFORMATION SHARING WITH THIRD PARTIES 158
PRI-07(A): INFORMATION SHARING WITH THIRD PARTIES | PRIVACY REQUIREMENTS FOR CONTRACTORS & SERVICE
PROVIDERS 159
PRI-08: TESTING, TRAINING & MONITORING 159
PRI-09: SYSTEM OF RECORDS NOTICE (SORN) 160
PRI-10: DATA QUALITY MANAGEMENT 160
PRI-10(A): DATA QUALITY MANAGEMENT | AUTOMATION 160
PRI-12: UPDATING PERSONAL INFORMATION (PI) 161
PRI-13: DATA MANAGEMENT BOARD 161
PRI-14: PRIVACY REPORTING 162
PRI-14(A): PRIVACY REPORTING | ACCOUNTING OF DISCLOSURES 162
PRI-15: REGISTER DATABASE 162
PROJECT & RESOURCE MANAGEMENT (PRM) 164
PRM-01: SECURITY PORTFOLIO MANAGEMENT 164
PRM-03: ALLOCATION OF RESOURCES 164
PRM-04: SECURITY IN PROJECT MANAGEMENT 164
PRM-05: SECURITY REQUIREMENTS DEFINITION 165
PRM-07: SECURE DEVELOPMENT LIFE CYCLE (SDLC) MANAGEMENT 165
RISK MANAGEMENT (RSK) 166
RSK-01: RISK MANAGEMENT PROGRAM 166
RSK-01(A): RISK MANAGEMENT PROGRAM (RMP) | RISK FRAMING 166
RSK-02: RISK-BASED SECURITY CATEGORIZATION 167
RSK-03: RISK IDENTIFICATION 167
RSK-04: RISK ASSESSMENT 167
RSK-04(A): RISK ASSESSMENT | RISK REGISTER 168
RSK-05: RISK RANKING 168
RSK-06: RISK REMEDIATION 168

Base + NIST 800-171 Security Program - Version 2018.5 Page 9 of 241

 RSK-06(A): RISK REMEDIATION | RISK RESPONSE 169
RSK-07: RISK ASSESSMENT UPDATE 169
RSK-08: BUSINESS IMPACT ANALYSIS (BIAS) 169
RSK-09: SUPPLY CHAIN RISK MANAGEMENT PLAN 170
RSK-09(A): SUPPLY CHAIN RISK MANAGEMENT PLAN | SUPPLY CHAIN RISK ASSESSMENT 170
RSK-10: DATA PROTECTION IMPACT ASSESSMENT (DPIA) 171
SECURE ENGINEERING & ARCHITECTURE (SEA) 172
SEA-01: SECURE ENGINEERING PRINCIPLES 172
SEA-01(A): SECURE ENGINEERING PRINCIPLES | CENTRALIZED MANAGEMENT OF CYBERSECURITY & PRIVACY CONTROLS 173
SEA-02: ALIGNMENT WITH ENTERPRISE ARCHITECTURE 173
SEA-02(A): ALIGNMENT WITH ENTERPRISE ARCHITECTURE | STANDARDIZED TERMINOLOGY 173
SEA-03: DEFENSE-IN-DEPTH (DID) ARCHITECTURE 173
SEA-03(B): DEFENSE-IN-DEPTH (DID) ARCHITECTURE | APPLICATION PARTITIONING 174
SEA-04: PROCESS ISOLATION 174
SEA-04(A): PROCESS ISOLATION | SECURITY FUNCTION ISOLATION 175
SEA-05: INFORMATION IN SHARED RESOURCES 175
SEA-07: PREDICTABLE FAILURE ANALYSIS 175
SEA-07(A): PREDICTABLE FAILURE ANALYSIS | TECHNOLOGY LIFECYCLE MANAGEMENT 176
SEA-07(B): PREDICTABLE FAILURE ANALYSIS | FAIL SECURE 177
SEA-10: MEMORY PROTECTION 177
SEA-15: DISTRIBUTED PROCESSING & STORAGE 177
SEA-17: SECURE LOG-ON PROCEDURES 177
SEA-18: SYSTEM USE NOTIFICATION (LOGON BANNER) 178
SEA-18(A): SYSTEM USE NOTIFICATION | STANDARDIZED MICROSOFT WINDOWS BANNER 178
SEA-18(B): SYSTEM USE NOTIFICATION | TRUNCATED BANNER 178
SEA-20: CLOCK SYNCHRONIZATION 179
SECURITY OPERATIONS (OPS) 180
OPS-01: OPERATIONS SECURITY 180
OPS-01(A): OPERATIONS SECURITY | STANDARDIZED OPERATING PROCEDURES (SOP) 180
OPS-02: SECURITY CONCEPT OF OPERATIONS (CONOPS) 181
SECURITY AWARENESS & TRAINING (SAT) 181
SAT-01: SECURITY & PRIVACY-MINDED WORKFORCE 181
SAT-02: SECURITY & PRIVACY AWARENESS 182
SAT-02(A): SECURITY AWARENESS | PRACTICAL EXERCISES 182
SAT-02(B): SECURITY AWARENESS | SOCIAL ENGINEERING & MINING 182
SAT-03: SECURITY & PRIVACY TRAINING 183
SAT-03(C): SECURITY & PRIVACY TRAINING | SENSITIVE INFORMATION STORAGE, HANDLING & PROCESSING 183
SAT-03(E): SECURITY & PRIVACY TRAINING | PRIVILEGED USERS 184
SAT-04: TRAINING RECORDS 184
TECHNOLOGY DEVELOPMENT & ACQUISITION (TDA) 185
TDA-01: TECHNOLOGY DEVELOPMENT & ACQUISITION 185
TDA-01(A): TECHNOLOGY DEVELOPMENT & ACQUISITION | PRODUCT MANAGEMENT 185
TDA-01(B): TECHNOLOGY DEVELOPMENT & ACQUISITION | INTEGRITY MECHANISMS FOR SOFTWARE / FIRMWARE UPDATES 186
TDA-01(C): TECHNOLOGY DEVELOPMENT & ACQUISITION | MALWARE TESTING PRIOR TO RELEASE 186
TDA-02: SECURITY REQUIREMENTS 186
TDA-02(A): SECURITY REQUIREMENTS | PORTS, PROTOCOLS & SERVICES IN USE 186
TDA-02(B): SECURITY REQUIREMENTS | USE OF APPROVED PIV PRODUCTS 187
TDA-04: DOCUMENTATION REQUIREMENTS 187
TDA-04(A): DOCUMENTATION REQUIREMENTS | FUNCTIONAL PROPERTIES 188
TDA-06: SECURE CODING 188
TDA-06(A): SECURE CODING | CRITICALITY ANALYSIS 189
TDA-07: SECURE DEVELOPMENT ENVIRONMENTS 189
TDA-08: SEPARATION OF DEVELOPMENT, TESTING & OPERATIONAL ENVIRONMENTS 189
TDA-09: SECURITY & PRIVACY TESTING THROUGHOUT DEVELOPMENT 190
TDA-09(B): SECURITY & PRIVACY TESTING THROUGHOUT DEVELOPMENT | STATIC CODE ANALYSIS 190
TDA-10: USE OF LIVE DATA 190

Base + NIST 800-171 Security Program - Version 2018.5 Page 10 of 241

 TDA-10(A): USE OF LIVE DATA | TEST DATA INTEGRITY 191
TDA-14: DEVELOPER CONFIGURATION MANAGEMENT 191
TDA-14(A): DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY VERIFICATION 191
TDA-15: DEVELOPER THREAT ANALYSIS & FLAW REMEDIATION 192
TDA-20: ACCESS TO PROGRAM SOURCE CODE 192
THIRD-PARTY MANAGEMENT (TPM) 193
TPM-01: THIRD-PARTY MANAGEMENT 193
TPM-02: THIRD-PARTY CRITICALITY ASSESSMENTS 193
TPM-03: SUPPLY CHAIN PROTECTION 194
TPM-03(A): SUPPLY CHAIN PROTECTION | ACQUISITION STRATEGIES, TOOLS & METHODS 194
TPM-03(B): SUPPLY CHAIN PROTECTION | LIMIT POTENTIAL HARM 194
TPM-03(C): SUPPLY CHAIN PROTECTION | PROCESSES TO ADDRESS WEAKNESSES OR DEFICIENCIES 195
TPM-04: THIRD-PARTY SERVICES 195
TPM-04(A): THIRD-PARTY SERVICES | THIRD-PARTY RISK ASSESSMENTS & APPROVALS 196
TPM-04(B): THIRD-PARTY SERVICES | IDENTIFICATION OF FUNCTIONS, PORTS, PROTOCOLS & SERVICES 196
TPM-04(D): THIRD-PARTY SERVICES | THIRD-PARTY PROCESSING, STORAGE AND SERVICE LOCATIONS 197
TPM-05: THIRD-PARTY CONTRACT REQUIREMENTS 197
TPM-06: THIRD-PARTY PERSONNEL SECURITY 197
TPM-08: REVIEW OF THIRD-PARTY SERVICES 198
TPM-10: MANAGING CHANGES TO THIRD-PARTY SERVICES 198
TPM-11: THIRD-PARTY INCIDENT RESPONSE & RECOVERY CAPABILITIES 199
THREAT MANAGEMENT (THR) 200
THR-01: THREAT AWARENESS PROGRAM 200
THR-03: THREAT INTELLIGENCE FEEDS 200
THR-05: INSIDER THREAT AWARENESS 201
VULNERABILITY & PATCH MANAGEMENT (VPM) 202
VPM-01: VULNERABILITY & PATCH MANAGEMENT PROGRAM 202
VPM-03: VULNERABILITY RANKING 202
VPM-04: CONTINUOUS VULNERABILITY REMEDIATION ACTIVITIES 202
VPM-04(B): CONTINUOUS VULNERABILITY REMEDIATION ACTIVITIES | FLAW REMEDIATION WITH PERSONAL INFORMATION
(PI) 203
VPM-05: SOFTWARE PATCHING 203
VPM-05(A): SOFTWARE PATCHING | CENTRALIZED MANAGEMENT 204
VPM-06: VULNERABILITY SCANNING 204
VPM-06(A): VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY 205
VPM-06(C): VULNERABILITY SCANNING | PRIVILEGED ACCESS 205
VPM-06(F): VULNERABILITY SCANNING | EXTERNAL VULNERABILITY ASSESSMENT SCANS 206
VPM-06(G): VULNERABILITY SCANNING | INTERNAL VULNERABILITY ASSESSMENT SCANS 206
VPM-07: PENETRATION TESTING 206
VPM-07(A): PENETRATION TESTING | INDEPENDENT PENETRATION AGENT OR TEAM 207
VPM-10: RED TEAM EXERCISES 207
WEB SECURITY (WEB) 208
WEB-01: WEB SECURITY 208
WEB-02: USE OF DEMILITARIZED ZONES (DMZ) 208
APPENDICES 208
APPENDIX A: DATA CLASSIFICATION & HANDLING GUIDELINES 208
A-1: DATA CLASSIFICATION 208
A-2: LABELING 210
A-3: GENERAL ASSUMPTIONS 210
A-4: SENSITIVE PERSONAL INFORMATION (SPI) 210
APPENDIX B: DATA CLASSIFICATION EXAMPLES 213
APPENDIX C: DATA RETENTION PERIODS 215
APPENDIX D: BASELINE SECURITY CATEGORIZATION GUIDELINES 217
D-1: DATA SENSITIVITY 217
D-2: SAFETY & CRITICALITY 217
D-3: BASIC ASSURANCE REQUIREMENTS 218

Base + NIST 800-171 Security Program - Version 2018.5 Page 11 of 241

 D-4: ENHANCED ASSURANCE REQUIREMENTS 218
APPENDIX E: DIGITAL SECURITY ROLES & RESPONSIBILITIES 219
E-1: CATEGORIES 219
E-2: SPECIALTY AREAS 219
E-3: ROLES & RESPONSIBILITIES 222
APPENDIX F: RULES OF BEHAVIOR / USER ACCEPTABLE USE 226
F-1: ACCEPTABLE USE 226
F-2: PROHIBITED USE 226
F-3: GUIDANCE ON THE PERSONAL USE OF COMPANY-OWNED TECHNOLOGY 227
F-4: ADDITIONAL RULES FOR SECURITY & PRIVILEGED USERS 227
APPENDIX G: SAFETY CONSIDERATIONS WITH EMBEDDED TECHNOLOGY 229
G-1: MISSION CRITICAL (SC-1) 229
G-2: BUSINESS CRITICAL (SC-2) 229
G-3: NON-CRITICAL (SC-3) 229
APPENDIX H: INDICATORS OF COMPROMISE (IOC) 230
GLOSSARY: ACRONYMS & DEFINITIONS 233
ACRONYMS 233
DEFINITIONS 233
KEY WORD INDEX 234
RECORD OF CHANGES 235
ANNEX 1: SUMMARY OF CYBERSECURITY POLICIES 236
POLICY STATEMENT 1: SECURITY & PRIVACY GOVERNANCE (GOV) POLICY 236
POLICY STATEMENT 2: ASSET MANAGEMENT (AST) POLICY 236
POLICY STATEMENT 3: BUSINESS CONTINUITY & DISASTER RECOVERY (BCD) POLICY 236
POLICY STATEMENT 4: CAPACITY & PERFORMANCE PLANNING (CAP) POLICY 236
POLICY STATEMENT 5: CHANGE MANAGEMENT (CHG) POLICY 236
POLICY STATEMENT 6: CLOUD SECURITY (CLD) POLICY 236
POLICY STATEMENT 7: COMPLIANCE (CPL) POLICY 237
POLICY STATEMENT 8: CONFIGURATION MANAGEMENT (CFG) POLICY 237
POLICY STATEMENT 9: CONTINUOUS MONITORING (MON) POLICY 237
POLICY STATEMENT 10: CRYPTOGRAPHIC PROTECTIONS (CRY) POLICY 237
POLICY STATEMENT 11: DATA CLASSIFICATION & HANDLING (DCH) POLICY 237
POLICY STATEMENT 12: EMBEDDED TECHNOLOGY (EMB) POLICY 238
POLICY STATEMENT 13: ENDPOINT SECURITY (END) POLICY 238
POLICY STATEMENT 14: HUMAN RESOURCES SECURITY (HRS) POLICY 238
POLICY STATEMENT 15: IDENTIFICATION & AUTHENTICATION (IAC) POLICY 238
POLICY STATEMENT 16: INCIDENT RESPONSE (IRO) POLICY 238
POLICY STATEMENT 17: INFORMATION ASSURANCE (IAO) POLICY 238
POLICY STATEMENT 18: MAINTENANCE (MNT) POLICY 239
POLICY STATEMENT 19: MOBILE DEVICE MANAGEMENT (MDM) POLICY 239
POLICY STATEMENT 20: NETWORK SECURITY (NET) POLICY 239
POLICY STATEMENT 21: PHYSICAL & ENVIRONMENTAL SECURITY (PES) POLICY 239
POLICY STATEMENT 22: PRIVACY (PRI) POLICY 239
POLICY STATEMENT 23: PROJECT & RESOURCE MANAGEMENT (PPM) POLICY 239
POLICY STATEMENT 24: RISK MANAGEMENT (RSK) POLICY 240
POLICY STATEMENT 25: SECURE ENGINEERING & ARCHITECTURE (SEA) POLICY 240
POLICY STATEMENT 26: SECURITY OPERATIONS (OPS) POLICY 240
POLICY STATEMENT 27: SECURITY AWARENESS & TRAINING (SAT) POLICY 240
POLICY STATEMENT 28: TECHNOLOGY DEVELOPMENT & ACQUISITION (TDA) POLICY 240
POLICY STATEMENT 29: THIRD-PARTY MANAGEMENT (TPM) POLICY 241
POLICY STATEMENT 30: THREAT MANAGEMENT (THR) POLICY 241
POLICY STATEMENT 31: VULNERABILITY & PATCH MANAGEMENT (VPM) POLICY 241
POLICY STATEMENT 32: WEB SECURITY (WEB) POLICY 241

Base + NIST 800-171 Security Program - Version 2018.5 Page 12 of 241

NOTICE

REFERENCED FRAMEWORKS & SUPPORTING PRACTICES

This document references numerous leading industry frameworks in an effort to provide a data-centric, holistic approach to securely
designing, building and maintaining [Official Company Name] ([Company Name])’s systems, applications and services. The following
external content is a non-exhaustive list of frameworks that are referenced by or support this Information Security Program (ISP):

 The National Institute of Standards and Technology (NIST): 1

o NIST 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life
Cycle Approach
o NIST 800-39: Managing Cybersecurity Risk: Organization, Mission and Information System View
o NIST 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
o NIST 800-64: Security Considerations in Secure Development Life Cycle
o NIST 800-122: Guide to Protecting the Confidentiality of Personal Information (PI)
o NIST 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems
o NIST 800-161: Supply Chain Risk Management Practices for Federal Information Systems and Organizations
o NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and
Organizations
o NIST IR 7298: Glossary of Key Cybersecurity Terms
o NIST IR 8179: Criticality Analysis Process Model: Prioritizing Systems and Components [draft]
o NIST Framework for Improving Critical Cybersecurity (Cybersecurity Framework)
 The International Organization for Standardization (ISO):2
o ISO 15288: Systems and Software Engineering -- System Life Cycle Processes
o ISO 22301: Societal Security – Business Continuity Management Systems – Requirements
o ISO 27002: Information Technology -- Security Techniques -- Code of Practice for Cybersecurity Controls
o ISO 27018: Information Technology -- Security Techniques -- Code of Practice for Protection of Personal Information
(PI) in Public Clouds Acting as PI Processors
 Other Frameworks:
o Cloud Security Alliance Cloud Controls Matrix (CSA CCM)3
o Center for Internet Security (CIS)4
o Department of Defense Cybersecurity Agency (DISA) Secure Technology Implementation Guides (STIGs)5
o Generally Accepted Privacy Practices (GAPP)6
o Fair Information Practice Principles (FIPP)7
o Control Objectives for Information and Related Technologies (COBIT)8
o Privacy by Design (PbD) 9
o AuditScripts. Open Threat Taxonomy10
o European Union Regulation 2016/279 (General Data Protection Regulation (EU GDPR))11
o Payment Card Industry Data Security Standard (PCI DSS)12

1 National Institute of Standards and Technology - http://csrc.nist.gov/publications/PubsSPs.html

2 International Organization for Standardization - https://www.iso.org
3 Cloud Security Alliance - https://cloudsecurityalliance.org/
4 Center for Internet Security - https://www.cisecurity.org/
5 DoD Information Security Agency - http://iase.disa.mil/stigs/Pages/index.aspx
6 The American Institute of CPAs - http://www.aicpa.org
7 Federal Trade Commission - https://www.ftc.gov
8 COBIT - http://www.isaca.org/COBIT/Pages/default.aspx
9 Term and principles coined by Dr. Ann Cavoukian - https://www.owasp.org/index.php/Privacy_by_Design
10 Open Threat Taxonomy - http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf
11 EU General Data Protection Regulation - http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
12 Payment Card Industry Security Standards Council - https://www.pcisecuritystandards.org/

Base + NIST 800-171 Security Program - Version 2018.5 Page 13 of 241

INFORMATION SECURITY PROGRAM (ISP) OVERVIEW

INTRODUCTION
The Information Security Program (ISP) provides definitive information on the prescribed measures used to establish and enforce
the security program at [Official Company Name] ([Company Name]).

[Company Name] is committed to protecting its employees, partners, clients and [Company Name] from damaging acts that are
intentional or unintentional. Effective cybersecurity is a team effort involving the participation and support of every [Company
Name] user who interacts with data and systems. Therefore, it is the responsibility of every user to know these policies and to
conduct their activities accordingly.

Protecting company data and the systems that collect, process and maintain this information is of critical importance. Consequently,
the security of systems must include controls and safeguards to offset possible threats, as well as controls to ensure confidentiality,
integrity, availability and safety:

 Confidentiality – Confidentiality addresses preserving restrictions on information access and disclosure so that access is
restricted to only authorized users and services.
 Integrity – Integrity addresses the concern that sensitive data has not been modified or deleted in an unauthorized and
undetected manner.
 Availability – Availability addresses ensuring timely and reliable access to and use of information.
 Safety – Safety addresses reducing risk associated with embedded technologies that could fail or be manipulated by
nefarious actors.

Commensurate with risk, security measures must be implemented to guard against unauthorized access to, alteration, disclosure
or destruction of data and systems. This also includes protection against accidental loss or destruction.

PURPOSE
The purpose of the Information Security Plan (ISP) is to prescribe a comprehensive framework for:
 Creating a leading practice-based Information Security Management System (ISMS);
 Protecting the confidentiality, integrity, availability and safety of [Company Name] data and systems;
 Protecting [Company Name], its employees and its clients from illicit use of [Company Name] systems and data;
 Ensuring the effectiveness of security controls over data and systems that support [Company Name]’s operations.
 Recognizing the highly-networked nature of the current computing environment and provide effective company-wide
management and oversight of those related cybersecurity risks; and
 Providing for the development, review and maintenance of minimum security controls required to protect [Company
Name]’s data and systems.

The formation of these cybersecurity policies is driven by many factors, with the key factor being a risk. These policies set the ground
rules under which [Company Name] operates and safeguards its data and systems to both reduce risk and minimize the effect of
potential incidents.

These policies, including their related control objectives, standards, procedures and guidelines, are necessary to support the
management of information risks in daily operations. The development of policies provides due care to ensure [Company Name]
users understand their day-to-day security responsibilities and the threats that could impact the company.

Implementing consistent security controls across the company will help [Company Name] comply with current and future legal
obligations to ensure long-term due diligence in protecting the confidentiality, integrity and availability of [Company Name] data.

Base + NIST 800-171 Security Program - Version 2018.5 Page 14 of 241

SCOPE & APPLICABILITY
These policies, standards and guidelines apply to all [Company Name] data, systems, activities and assets owned, leased, controlled
or used by [Company Name], its agents, contractors or other business partners on behalf of [Company Name]. These policies,
standards and guidelines apply to all [Company Name] employees, contractors, sub-contractors and their respective facilities
supporting [Company Name] business operations, wherever [Company Name] data is stored or processed, including any third-party
contracted by [Company Name] to handle, process, transmit, store or dispose of [Company Name] data.

Some standards apply specifically to persons with a specific job function (e.g., a System Administrator); otherwise, all personnel
supporting [Company Name] business functions shall comply with the standards. [Company Name] departments shall use these
standards or may create a more restrictive standard, but none that are less restrictive, less comprehensive or less compliant than
these standards.

These policies do not supersede any other applicable law or higher-level company directive or existing labor management
agreement in effect as of the effective date of this policy.

Appendix E (Digital Security Roles & Responsibilities) provides a detailed description of [Company Name] user roles and
responsibilities, in regards to Information Security.

[Company Name] reserves the right to revoke, change or supplement these policies, standards and guidelines at any time without
prior notice. Such changes shall be effective immediately upon approval by management unless otherwise stated.

POLICY OVERVIEW
To ensure an acceptable level of cybersecurity risk, [Company Name] is required to design, implement and maintain a coherent set
of policies, standards, procedures and guidelines to manage risks to its data and systems.

The DSP addresses the policies, standards and guidelines. Data / process owners, in conjunction with asset custodians, are
responsible for creating, implementing and updated operational procedures to comply with DSP requirements.

[Company Name] users are required to protect and ensure the Confidentiality, Integrity, Availability and Safety (CIAS) of data and
systems, regardless of how its data is created, distributed or stored.
 Security controls will be tailored accordingly so that cost-effective controls can be applied commensurate with the risk and
sensitivity of the data and system; and
 Security controls must be designed and maintained to ensure compliance with all legal requirements.

VIOLATIONS
Any [Company Name] user found to have violated any policy, standard or procedure may be subject to disciplinary action, up to and
including termination of employment. Violators of local, state, Federal, and / or international law may be reported to the appropriate
law enforcement agency for civil and / or criminal prosecution.

EXCEPTIONS
While every exception to a standard potentially weakens protection mechanisms for [Company Name] systems and underlying data,
occasionally exceptions will exist. When requesting an exception, users are required to submit a business justification for deviation
from the standard in question.

UPDATES
Updates to the Information Security Plan (ISP) will be announced to employees via management updates or email announcements.
Changes will be noted in the Record of Changes to highlight the pertinent changes from the previous policies, procedures, standards
and guidelines.

Base + NIST 800-171 Security Program - Version 2018.5 Page 15 of 241

KEY TERMINOLOGY
In the realm of cybersecurity terminology, the National Institute of Standards and Technology (NIST) IR 7298, Revision 1, Glossary
of Key Information Security Terms, is the primary reference document that [Company Name] uses to define common cybersecurity
terms. 13 Key terminology to be aware of includes:

Adequate Security. A term describing protective measures that are commensurate with the consequences and probability of loss,
misuse or unauthorized access to or modification of information.

Asset: A term describing any data, device, application, service or other component of the environment that supports information-
related activities. An asset is a resource with economic value that a [Company Name] owns or controls.

Asset Custodian: A term describing a person or entity with the responsibility to assure that the assets are properly maintained, are
used for the purposes intended and that information regarding the equipment is properly documented.

Cardholder Data Environment (CDE): A term describing the area of the network that possesses sensitive data or sensitive
authentication data and those systems and segments that directly attach or support cardholder processing, storage or transmission.
Adequate network segmentation, which isolates systems that store, process or transmit sensitive data from those that do not, may
reduce the scope of the sensitive data environment and thus the scope of the Payment Card Industry Data Security Standard (PCI
DSS) assessment

Cloud Computing. A term describing a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and
released with minimal management effort or service provider interaction. It also includes commercial offerings for software-as-a-
service, infrastructure-as-a-service and platform-as-a-service.

Control: A term describing any management, operational or technical method that is used to manage risk. Controls are designed to
monitor and measure specific aspects of standards to help [Company Name] accomplish stated goals or objectives. All controls map
to standards, but not all standards map to Controls.

Control Objective: A term describing targets or desired conditions to be met that are designed to ensure that policy intent is met.
Where applicable, Control Objectives are directly linked to an industry-recognized leading practice to align [Company Name] with
accepted due care requirements.

Data: A term describing an information resource that is maintained in electronic or digital format. Data may be accessed, searched
or retrieved via electronic networks or other electronic data processing technologies. Appendix A (Data Classification & Handling
Guidelines) provides guidance on data classification and handling restrictions.

Data / Process Owner: A term describing a person or entity that has been given formal responsibility for the security of an asset,
asset category, process or the data hosted on the asset or process. It does not mean that the asset belongs to the owner in a legal
sense. Data / process owners are formally responsible for making sure that assets are secure while they are being developed,
produced, maintained and used.

Encryption: A term describing the conversion of data from its original form to a form that can only be read by someone that can
reverse the encryption process. The purpose of encryption is to prevent unauthorized disclosure of data.

Guidelines: A term describing recommended practices that are based on industry-recognized leading practices. Unlike Standards,
Guidelines allow users to apply discretion or leeway in their interpretation, implementation or use.

Information Security: A term that covers the protection of information against unauthorized disclosure, transfer, modification or
destruction, whether accidental or intentional. The focus is on the Confidentiality, Integrity, Availability and Safety (CIAS) of data.

Information Technology (IT). A term includes computers, ancillary equipment (including imaging peripherals, input, output and
storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing
unit of a computer, software, firmware and similar procedures, services (including support services) and related resources.

13 NIST IR 7298 - http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

Base + NIST 800-171 Security Program - Version 2018.5 Page 16 of 241

Least Privilege: A term describing the theory of restricting access by only allowing users or processes the least set of privileges
necessary to complete a specific job or function.

Personal Data / Personal Information (PI). A term describing any information relating to an identified or identifiable natural person
("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person. 14

PI Controller / Data Controller. A term describing the privacy stakeholder (or privacy stakeholders) that determines the purposes
and means for processing Personal Information (PI) other than natural persons who use data for personal purposes

PI Principal / Data Principle. A term describing the natural person to whom the Personal Information (PI) relates

PI Processor / Data Processor. A term describing the privacy stakeholder that processes Personal Information (PI) on behalf of and
in accordance with the instructions of a PI controller

Policy: A term describing a formally established requirement to guide decisions and achieve rational outcomes. Essentially, a policy
is a statement of expectation that is enforced by standards and further implemented by procedures.

Procedure: A term describing an established or official way of doing something, based on a series of actions conducted in a certain
order or manner. Procedures are the responsibility of the asset custodian to build and maintain, in support of standards and policies.

Sensitive Data: A term that covers categories of data that must be kept secure. Examples of sensitive data include sensitive Personal
Information (sPI), Electronic Protected Health Information (ePHI) and all other forms of data classified as Restricted or Confidential
in Appendix A (Data Classification & Handling Guidelines).

Sensitive Personal Data / Sensitive Personal Information (sPI): A term describing personal data, revealing:
 The first name or first initial and last name, in combination with any one or more of the following data elements: 15
o Social Security Number (SSN) / Taxpayer Identification Number (TIN) / National Identification Number (NIN);
o Driver License (DL) or another government-issued identification number (e.g., passport, permanent resident card,
etc.);
o Financial account number; or
o Payment card number (e.g., credit or debit card);
 Racial or ethnic origin;
 Political opinions;
 Religious or philosophical beliefs;
 Trade-union membership;
 Physical or mental health;
 Sex life and sexual orientation;
 Genetic data; and / or
 Biometric data.16

Standard: A term describing formally established requirements in regard to processes, actions and configurations.

System: A term describing an asset; a system or network that can be defined, scoped and managed. Includes, but is not limited to,
computers, workstations, laptops, servers, routers, switches, firewalls and mobile devices.

Target Audience: A term describing the intended group for which a control or standard is directed.

14 European Union General Data Protection Requirement – Article 4(1)

15 The source of this definition comes from two state laws - Oregon Consumer Identity Theft Protection Act - ORS 646A.600(11)(a) -
http://www.leg.state.or.us/ors/646a.html and Massachusetts 201 CMR 17.00” Standards For The Protection of Personal Information of
Residents of The Commonwealth - MA201CMR17.02 http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
16 European Union General Data Protection Requirement – Article 9(1)

Base + NIST 800-171 Security Program - Version 2018.5 Page 17 of 241

INFORMATION SECURITY PROGRAM STRUCTURE

MANAGEMENT DIRECTION FOR INFORMATION SECURITY

The objective is to provide management direction and support for cybersecurity in accordance with business requirements and
relevant laws and regulations. 17

An Information Security Management System (ISMS) focuses on cybersecurity management and technology-related risks. The
governing principle behind [Company Name]’s ISMS is that, as with all management processes, the ISMS must remain effective and
efficient in the long-term, adapting to changes in the internal organization and external environment.

In accordance with leading practices, [Company Name]’s ISMS incorporates the typical "Plan-Do-Check-Act" (PDCA) or Deming Cycle,
approach:
 Plan: This phase involves designing the ISMS, assessing IT-related risks and selecting appropriate controls.
 Do: This phase involves implementing and operating the appropriate security controls.
 Check: This phase involves reviewing and evaluating the performance (efficiency and effectiveness) of the ISMS.
 Act: This involves making changes, where necessary, to bring the ISMS back to optimal performance.

POLICIES, STANDARDS, PROCEDURES & GUIDELINES STRUCTURE

Information security documentation is comprised of five main parts: a core policy; a control objective that identifies desired
conditions; measurable standards used to quantify the requirement; procedures that must be followed; and guidelines that are
recommended, but not mandatory.

Information security documentation is comprised of five main parts:

(1) Core policy that establishes management’s intent;
(2) Control objective that identifies the condition that should be met;
(3) Standards that provides quantifiable requirements to be met;
(4) Procedures that establish how tasks must be performed to meet the requirements established in standards; and
(5) Guidelines are recommended, but not mandatory.

Figure 1: Information Security Documentation Framework

17 ISO 27002:2013 5.1

Base + NIST 800-171 Security Program - Version 2018.5 Page 18 of 241

SECURITY & PRIVACY GOVERNANCE (GOV)

Management Intent: The purpose of the Security & Privacy Governance (GOV) policy is to specify the development, proactive
management and ongoing review of [Company Name]’s security and privacy program.

Policy: [Company Name] shall protect the confidentiality, integrity, availability and safety of its data and systems, regardless of how
its data is created, distributed or stored. Digital security controls will be tailored accordingly so that cost-effective controls can be
applied commensurate with the risk and sensitivity of the data and system, in accordance with all statutory, regulatory and
contractual obligations.

Supporting Documentation: This policy is supported by the following control objectives, standards and guidelines.

GOV-01: DIGITAL SECURITY GOVERNANCE PROGRAM

Control Objective: The organization develops, implements and governs processes and documentation to facilitate the
implementation of an enterprise-wide digital security policy, as well as associated standards, controls and procedures. 18

Standard: [Company Name]’s security program shall be represented in a single document, the Information Security Plan (ISP) that:
(a) Shall be reviewed and updated at least annually; and
(b) Disseminated to the appropriate parties to ensure all [Company Name] personnel understand their applicable
requirements.

Guidelines: The security plans for individual systems and the organization-wide DSP together provide complete coverage for all
cybersecurity and privacy-related controls employed within the organization.

Enhancements: None

GOV-02: PUBLISHING SECURITY & PRIVACY POLICIES

Control Objective: The organization establishes, publishes, maintains and disseminates security and privacy policies. 19

Standard: [Company Name]’s security and privacy policies and standards shall be represented in a consolidated document, the
Information Security Plan (ISP) that shall be:
(a) Endorsed by executive management; and
(b) Disseminated to the appropriate parties to ensure all [Company Name] personnel understand their applicable
requirements.

Guidelines: An organization’s cybersecurity policies create the roadmap for implementing cybersecurity and privacy measures to
protect its most valuable assets. All personnel should be aware of the sensitivity of data and their responsibilities for protecting it.

Enhancements: None

GOV-03: PERIODIC REVIEW & UPDATE OF CYBERSECURITY DOCUMENTATION

Control Objective: The organization reviews its security and privacy policies, standards and procedures at planned intervals or if
significant changes occur to ensure their continuing suitability, adequacy and effectiveness. 20

Standard: [Company Name]’s business leadership (or other accountable business role or function) shall review the Information
Security Plan (ISP) at planned intervals or as a result of changes to the organization (e.g., mergers, acquisitions, partnerships, new
products, etc.) to ensure its continuing alignment with the security strategy, risk posture, effectiveness, accuracy, relevance and
applicability to statutory, regulatory and / or contractual compliance obligations.

18 NIST 800-53 rev4 PM-1 | ISO 27002:2013 5.1.1

19 NIST 800-53 rev4 PM-1 | ISO 27002:2013 5.1.1 | NIST CSF v1.1 ID.GV-1
20 NIST 800-53 rev4 PM-1 | ISO 27002:2013 5.1.2

Base + NIST 800-171 Security Program - Version 2018.5 Page 19 of 241

WEB SECURITY (WEB)

Management Intent: The purpose of the Web Security (WEB) policy is to address the risks associated with Internet-accessible
technologies.

Policy: [Company Name] shall implement the principles of “least privilege” and “least functionality” are utilized to reduce risks
associated with managing Internet-accessible technologies and to ensure appropriate security and privacy controls are in place to
satisfy applicable statutory, regulatory and contractual requirements.

Supporting Documentation: This policy is supported by the following control objectives, standards and guidelines.

WEB-01: WEB SECURITY

Control Objective: The organization develops, implements and governs processes and documentation to facilitate the
implementation of an enterprise-wide web management policy, as well as associated standards, controls and procedures.

Standard: The Chief Information Security Officer (CISO) is responsible for developing, implementing and governing processes to
ensure Internet-exposed systems and services are:
(a) Designed and implemented to ensure both security and privacy principles exist by default;
(b) Properly maintained to reduce the attack surface area; and
(c) Regularly reviewed to ensure known vulnerabilities are remediated in a timeline manner, based on the risk posed from the
threat.

Guidelines: None

Enhancements: None

WEB-02: USE OF DEMILITARIZED ZONES (DMZ)

Control Objective: The organization employs Demilitarized Zones (DMZs) to restrict inbound traffic to authorized devices on certain
services, protocols and ports. 419

Standard: [Company Name]’s IT department is required to implement and configure DMZs in accordance with industry-recognized
leading practices.

Guidelines: None

Enhancements: None

APPENDICES

APPENDIX A: DATA CLASSIFICATION & HANDLING GUIDELINES

A-1: DATA CLASSIFICATION

Information assets are assigned a sensitivity level based on the appropriate audience for the information. If the information has
been previously classified by regulatory, legal, contractual or company directive, then that classification will take precedence. The
sensitivity level then guides the selection of protective measures to secure the information. All data are to be assigned one of the
following four sensitivity levels:

Classification Data Classification Description

419 ISO 27002:2013 13.1.3

Base + NIST 800-171 Security Program - Version 2018.5 Page 208 of 241
 Restricted information is highly valuable, highly sensitive business information and the level
of protection is dictated externally by legal and / or contractual requirements. Restricted
Definition
information must be limited to only authorized employees, contractors and business
partners with a specific business need.

Restricted · SIGNIFICANT DAMAGE would occur if Restricted information were to become available to
unauthorized parties either internal or external to [Company Name].
Potential
Impact of Loss · Impact could include negatively affecting [Company Name]’s competitive position, violating
regulatory requirements, damaging the company’s reputation, violating contractual
requirements and posing an identity theft risk.

Confidential information is highly valuable, sensitive business information and the level of
Definition
protection is dictated internally by [Company Name]

· MODERATE DAMAGE would occur if Confidential information were to become available to

Confidential
unauthorized parties either internal or external to [Company Name].
Potential
Impact of Loss · Impact could include negatively affecting [Company Name]’s competitive position,
damaging the company’s reputation, violating contractual requirements and exposing the
geographic location of individuals.
Internal Use information is information originated or owned by [Company Name] or
entrusted to it by others. Internal Use information may be shared with authorized
Definition employees, contractors and business partners who have a business need, but may not be
released to the general public, due to the negative impact it might have on the company’s
Internal Use business interests.
· MINIMAL or NO DAMAGE would occur if Internal Use information were to become
Potential available to unauthorized parties either internal or external to [Company Name].
Impact of Loss · Impact could include damaging the company’s reputation and violating contractual
requirements.
Public information is information that has been approved for release to the general public
Definition
and is freely shareable both internally and externally.

Public · NO DAMAGE would occur if Public information were to become available to parties either
Potential internal or external to [Company Name].
Impact of Loss
· Impact would not be damaging or a risk to business operations.

Base + NIST 800-171 Security Program - Version 2018.5 Page 209 of 241
A-2: LABELING
Labeling is the practice of marking a system or document with its appropriate sensitivity level so that others know how to
appropriately handle the information. There are several methods for labeling information assets.
 Printed. Information that can be printed (e.g., spreadsheets, files, reports, drawings or handouts) should contain one of
the following confidentiality symbols in the document footer on every printed page (see below) or simply the words if the
graphic is not technically feasible. The exception for labeling is with marketing material, since marketing material is
primarily developed for public release.
 Displayed. Restricted or Confidential information that is displayed or viewed (e.g., websites, presentations, etc.) must be
labeled with its classification as part of the display.

A-3: GENERAL ASSUMPTIONS

 Any information created or received by [Company Name] employees in the performance of their jobs at is Internal Use, by
default, unless the information requires greater confidentiality or is approved for release to the general public.
 Treat information that is not assigned a classification level as “Internal Use” at a minimum and use corresponding controls.
 When combining information with different sensitivity levels into a single application or database, assign the most
restrictive classification of the combined asset. For example, if an application contains Internal Use and Confidential
information, the entire application is Confidential.
 Restricted, Confidential and Internal Use information must never be released to the general public but may be shared with
third-parties, such as government agencies, business partners or consultants, when there is a business need to do so and
the appropriate security controls are in place according to the level of classification.
 You may not change the format or media of information if the new format or media you will be using does not have the
same level of security controls in place. For example, you may not export Restricted information from a secured database
to an unprotected Microsoft Excel spreadsheet.

A-4: SENSITIVE PERSONAL INFORMATION (SPI)

Sensitive Personal Information (sPI) is defined as the first name or first initial and last name, in combination with any one or more
of the following data elements:
 Government-Issued Identification Number (e.g., passport, permanent resident card, etc.)
o Social Security Number (SSN) / Taxpayer Identification Number (TIN) / National Identification Number (NIN)
o Passport number
o Permanent resident card
 Driver License (DL)
 Financial account number
o Payment card number (credit or debit)
o Bank account number
 Electronic Protected Health Information (ePHI)

Base + NIST 800-171 Security Program - Version 2018.5 Page 210 of 241
A-5: DATA HANDLING GUIDELINES

Handling Controls Restricted Confidential Internal Use Public

▪ NDA is required prior to ▪ NDA is recommended
access by non-[Company prior to access by non-
Non-Disclosure
Name] employees. [Company Name] No NDA requirements No NDA requirements
Agreement (NDA)
employees.

▪ Encryption is required ▪ Encryption is

Internal Network ▪ Instant Messaging is recommended
Transmission prohibited ▪ Instant Messaging is No special requirements No special requirements
(wired & wireless) ▪ FTP is prohibited prohibited
▪ FTP is prohibited
▪ Encryption is required ▪ Encryption is required ▪ Encryption is
▪ Instant Messaging is ▪ Instant Messaging is recommended
prohibited prohibited ▪ Instant Messaging is
External Network ▪ FTP is prohibited ▪ FTP is prohibited prohibited
Transmission ▪ Remote access should ▪ FTP is prohibited No special requirements
(wired & wireless) be used only when
necessary and only with
VPN and two-factor
authentication
▪ Encryption is required ▪ Encryption is ▪ Encryption is ▪ Logical access controls
▪ Logical access controls recommended recommended are required to limit
Data At Rest are required to limit ▪ Logical access controls ▪ Logical access controls unauthorized use
(file servers, unauthorized use are required to limit are required to limit ▪ Physical access
databases, archives, ▪ Physical access unauthorized use unauthorized use restricted to specific
etc.) restricted to specific ▪ Physical access ▪ Physical access groups
individuals restricted to specific restricted to specific
groups groups
Mobile Devices ▪ Encryption is required ▪ Encryption is required ▪ Encryption is
(iPhone, iPad, MP3 ▪ Remote wipe must be ▪ Remote wipe must be recommended
enabled, if possible enabled, if possible ▪ Remote wipe should be No special requirements
player, USB drive,
etc.) enabled, if possible

Email ▪ Encryption is required ▪ Encryption is required ▪ Encryption is

(with and without ▪ Do not forward ▪ Do not forward recommended No special requirements
attachments)
▪ Mark “Open by ▪ Mark “Open by ▪ Mail with company
Addressee Only” Addressee Only” interoffice mail
▪ Use “Certified Mail” and ▪ Use “Certified Mail” and ▪ US Mail or other
sealed, tamper-resistant sealed, tamper-resistant public delivery
envelopes for external envelopes for external systems and sealed,
Physical Mail mailings mailings tamper-resistant No special requirements
▪ Delivery confirmation is ▪ Delivery confirmation is envelopes for external
required required mailings
▪ Hand deliver internally ▪ Hand delivering is
recommended over
interoffice mail
▪ Verify destination ▪ Verify destination ▪ Verify destination
printer printer printer
Printer ▪ Attend printer while ▪ Attend printer while ▪ Retrieve printed No special requirements
printing printing material without delay

Base + NIST 800-171 Security Program - Version 2018.5 Page 211 of 241
 ▪ Posting to intranet sites
is prohibited, unless it is
pre-approved to contain
Restricted data.
Web Sites
▪ Posting to Internet sites
is prohibited, unless it is
pre-approved to contain
Restricted data.
▪ Confirm participants on
Telephone the call line
▪ Ensure private location
▪ Pre-approve roster of
attendees
Video / Web ▪ Confirm participants on
Conference Call the call line
▪ Ensure private location
▪ Attend receiving fax
machine
▪ Verify destination
number
Fax ▪ Confirm receipt
▪ Do not fax outside
company without
manager approval
▪ Return to owner for
destruction
Paper, Film / Video, ▪ Owner personally
Microfiche verifies destruction
▪ Physically destroy the
hard drives and media
Storage Media
▪ Requires use of
(Hard Disk Drives
company-approved
(HDDs), Flash drives,
vendor for destruction
tapes, CDs / DVDs,
etc.)
Base + NIST 800-171 Security Program - Version 2018.5
▪ Posting to publicly- ▪ Posting to publicly-
accessible Internet sites accessible Internet sites
is prohibited. is prohibited
No special requirements
▪ Confirm participants on
the call line No special requirements No special requirements
▪ Ensure private location
▪ Pre-approve roster of ▪ Pre-approve roster of
attendees attendees
▪ Confirm participants on ▪ Confirm participants on No special requirements
the call line the call line
▪ Ensure private location
▪ Attend receiving fax
machine
▪ Verify destination
number
▪ Confirm receipt No special requirements No special requirements
▪ Do not fax outside
company without
manager approval
▪ Shred or delete all ▪ Shred or delete all
documents or place in documents or place in
secure receptacle secure receptacle
No special requirements
for future for future
shredding shredding
▪ Physically destroy the ▪ Physically destroy the ▪ Physically destroy the
hard drives and media or hard drives and media or hard drives and media or
use commercial use commercial use commercial
overwrite software to overwrite software to overwrite software to
destroy the data on the destroy the data on the destroy the data on the
media (quick reformat of media media
the media is not
sufficient)
Page 212 of 241
APPENDIX B: DATA CLASSIFICATION EXAMPLES

The table below shows examples of common data instances that are already classified to simplify the process. This list is not inclusive
of all types of data, but it establishes a baseline for what constitutes data sensitivity levels and will adjust to accommodate new
types or changes to data sensitivity levels, when necessary.

IMPORTANT: You are instructed to classify data more sensitive than this guide, if you feel that is warranted by the content.

Internal Use

Confidential

Restricted
Data
Sensitive Data Elements
Class

Public
Social Security Number (SSN) X
Employer Identification Number (EIN) X
Client or Employee Personal Data

Driver’s License (DL) Number X

Financial Account Number X
Payment Card Number (credit or debit) X
Government-Issued Identification (e.g., passport, permanent resident card, etc.) X
Birth Date X
First & Last Name X
Age X
Phone and / or Fax Number X
Home Address X
Gender X
Ethnicity X
Email Address X
Compensation & Benefits Data X
Related Data
Employee-

Medical Data X
Workers Compensation Claim Data X
Education Data X
Dependent or Beneficiary Data X
Business Plan (including marketing strategy) X
Marketing

Financial Data Related to Revenue Generation X

Sales &

Data

Marketing Promotions Development X

Internet-Facing Websites (e.g., company website, social networks, blogs, promotions, etc.) X
News Releases X
Username & Password Pairs X
Public Key Infrastructure (PKI) Cryptographic Keys (public & private) X
Infrastructure Data
Networking &

Hardware or Software Tokens (multifactor authentication) X

System Configuration Settings X
Regulatory Compliance Data X
Internal IP Addresses X
Privileged Account Usernames X
Service Provider Account Numbers X
Corporate Tax Return Information X
Financial Data Financial Data

Legal Billings X
Strategic

Budget-Related Data X
Unannounced Merger and Acquisition Information X
Trade Secrets (e.g., design diagrams, competitive information, etc.) X
Electronic Payment Information (Wire Payment / ACH) X
Operating

Paychecks X
Incentives or Bonuses (amounts or percentages) X
Stock Dividend Information X
Bank Account Information X

Base + NIST 800-171 Security Program - Version 2018.5 Page 213 of 241
Investment-Related Activity X
Account Information (e.g., stocks, bonds, mutual funds, money markets, etc.) X
Debt Amount Information X
SEC Disclosure Information X

Base + NIST 800-171 Security Program - Version 2018.5 Page 214 of 241
APPENDIX C: DATA RETENTION PERIODS

The following schedule highlights suggested retention periods* for some of the major categories of data:
* Retention periods are measured in years, after the event occurrence (e.g., termination, expiration, contract, filing, etc.)

Category Type of Record Retention Period

Amendments Permanent
Annual Reports Permanent
Articles of Incorporation Permanent
Board of Directors (elections, minutes, committees, etc.) Permanent
Bylaws Permanent
Capital stock & bond records Permanent
Charter Permanent
Business Contracts & agreements Permanent
Records Copyrights Permanent
Correspondence (General) 5
Correspondence (Legal) Permanent
Partnership agreement Permanent
Patents Permanent
Servicemarks Permanent
Stock transfers Permanent
Trademarks Permanent
Category Type of Record Retention Period
Audit report (external) Permanent
Audit report (internal) 3
Balance sheets Permanent
Bank deposit slips, reconciliations & statements 7
Bills of lading 3
Budgets 3
Cash disbursement & receipt record 7
Checks (canceled) 3
Credit memos 3
Depreciation schedule 7
Dividend register & canceled dividend checks Permanent
Employee expense reports 3
Financial Employee payroll records (W-2, W-4, annual earnings records, etc.) 7
Records Financial statements (annual) Permanent
Freight bills 3
General ledger Permanent
Internal reports (work orders, sales reports, production reports) 3
Inventory lists 3
Investments (sales & purchases) Permanent
Profit / Loss statements Permanent
Purchase and sales contracts 3
Purchase order 3
Subsidiary ledgers (accounts receivable, accounts payable, etc.) Permanent
Tax returns Permanent
Vendor Invoices 7
Worthless securities 7
Category Type of Record Retention Period
Accident report / injury claim 7

Base + NIST 800-171 Security Program - Version 2018.5 Page 215 of 241
 Attendance Records 3
Employee benefit plans 7
Employment applications (not hired) 3
Garnishments 3
I-9 Forms 3
Medical and exposure records - related to toxic substances Permanent
Personnel Organization Charts Permanent
Records OSHA Logs 5
OSHA Training Documentation 5
Patents Permanent
Pension plan agreement Permanent
Personnel files 4
Profit sharing agreement Permanent
Time cards and daily time reports 3
Category Type of Record Retention Period
Fire inspection reports 7
Group disability records 7
HIPAA-related documentation 6
Insurance
Insurance policies 7
Safety records 3
Settled insurance claims 7
Category Type of Record Retention Period
Deeds Permanent
Mortgages 3
Plans & blueprints Permanent
Real Estate
Plant cost ledger Permanent
Property appraisals Permanent
Property register Permanent
Category Type of Record Retention Period
Server audit trail history 1
Workstation audit trail history 1
Miscellaneous Router audit trail history Permanent
Firewall audit trail history Permanent
Visitor logs 1

Base + NIST 800-171 Security Program - Version 2018.5 Page 216 of 241
APPENDIX D: BASELINE SECURITY CATEGORIZATION GUIDELINES

Assets and services are categorized by two primary attributes: (a) the potential impact they pose from misuse and (b) the data
classification level of the data processed, stored or transmitted by the asset or process. These two attributes combine to establish
a basis for controls that should be assigned to that system or asset. This basis is called an Assurance Level (AL).

D-1: DATA SENSITIVITY

This is straightforward where the data sensitivity rating represents the highest data classification of the data processed, stored or
transmitted by the asset or process

D-2: SAFETY & CRITICALITY

The Safety & Criticality (SC) rating reflects two aspects of the “importance” of the asset or process:
 On one hand, SC simply represents the importance of the asset relative to the achievement of the company’s goals and
objectives (e.g., business critical, mission critical or non-critical).
 On the other hand, SC represents the potential for harm that misuse of the asset or service could cause to [Company Name],
its clients, its partners or the general public.

The three (3) SC ratings are:

 SC-1: Mission Critical. This category involves systems, services and data that is determined to be vital to the operations or
mission effectiveness of [Company Name]:
o Includes systems, services or data with the potential to significantly impact the brand, revenue or customers.
o Any business interruption would have a significant impact on [Company Name]’s mission.
 Cannot go down without having a significant impact on [Company Name]’s mission.
 The consequences of loss of integrity or availability of a SC-1 system are unacceptable and could include
the immediate and sustained loss of mission effectiveness.
o Requires the most stringent protection measures that exceed leading practices to ensure adequate security.
o Safety aspects of SC-1 systems, services and data could lead to:
 Catastrophic hardware failure;
 Unauthorized physical access to premises; and / or
 Physical injury to users.
 SC-2: Business Critical. This category involves systems, services and data that are determined to be important to the support
of [Company Name]’s business operations:
o Includes systems, services or data with the potential to moderately impact the brand, revenue or customers.
o Affected systems, services or data can go down for up to twenty-four (24) hours (e.g., one (1) business day) without
having a significant impact on [Company Name]’s mission.
 Loss of availability is difficult to deal with and can only be tolerated for a short time.
 The consequences could include delay or degradation in providing important support services or
commodities that may seriously impact mission effectiveness or the ability to operate.
 The consequences of loss of integrity are unacceptable.
o Requires protection measures equal to or beyond leading practices to ensure adequate security.
o Safety aspects of SC-2 systems could lead to:
 Loss of privacy; and / or
 Unwanted harassment.
 SC-3: Non-Critical. This category involves systems, services and data that are necessary for the conduct of day-to-day
operations, but are not business critical in the short-term:
o Includes systems, services or data with little or potential to impact the brand, revenue or customers.
o Affected systems, services or data can go down for up to seventy-two (72) hours (e.g., three (3) business days)
without having a significant impact on [Company Name]’s mission.
 The consequences of loss of integrity or availability can be tolerated or overcome without significant
impacts on mission effectiveness.
 The consequences could include the delay or degradation of services or routine activities.
o Requires protection measures that are commensurate with leading practices to ensure adequate security.
o Safety aspects of SC-3 systems could lead to:
 Inconvenience;
 Frustration; and / or
 Embarrassment.

Base + NIST 800-171 Security Program - Version 2018.5 Page 217 of 241
Where the data sensitivity and SC levels meet is considered the Assurance Levels (AL). The AL represents the “level of effort” that is
needed to properly ensure the Confidentiality, Integrity, Availability and Safety (CIAS) of the asset or process.

Asset Data Sensitivity

Categorization INTERNAL
RESTRICTED CONFIDENTIAL PUBLIC
Matrix USE

SC-1
Enhanced Enhanced Enhanced Enhanced
Mission Critical
Criticality
Safety &

SC-2
Enhanced Enhanced Basic Basic
Business Critical

SC-3
Enhanced Basic Basic Basic
Non-Critical
Figure D-1: Asset Categorization Risk Matrix

D-3: BASIC ASSURANCE REQUIREMENTS

 The minimum level of controls is defined as industry-recognized leading practices (e.g., PCI DSS, NIST 800-53, ISO 27002,
etc.).
 For security controls in Basic assurance projects or initiatives, the focus is on the cybersecurity controls being in place with
the expectation that no obvious errors exist and that as flaws are discovered they are addressed in a timely manner.

D-4: ENHANCED ASSURANCE REQUIREMENTS

 The minimum level of controls is defined as exceeding industry-recognized leading practices (e.g., DLP, FIM, DAM, etc.).
 For security controls in Enhanced Assurance projects, it is essentially the Basic Assurance level that is expanded to require
more robust IT security capabilities that are commensurate with the value of the project to [Company Name].

Base + NIST 800-171 Security Program - Version 2018.5 Page 218 of 241